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Abstract — Finding low-weight multiples of a binary 
polynomial is a difficult problem arising in the context 
of stream ciphers cryptanalysis. The best algorithms to 
solve this problem are based on a time memory trade- 
off. Staying in this category, we will present a new 
approach using discrete logarithm rather than a direct 
representation of the involved polynomials. This provides 
an alternative to the previously known algorithms which 
improves in some case the computational complexity. Q 

I. Introduction 

Correlation and fast correlation attacks are probably 
the most important classes of attacks against stream 
ciphers based on linear feedback shift registers (LFSRs). 
They were originally proposed by Siegenthaler [13] and 
improved by Meier and Staffelbach [10]. Since then, 
many different versions have been proposed [1], [8], [7], 
[9], either very general or adapted to specific designs. 

The basic idea is to consider that the output of the 
stream cipher is a noisy version of a sequence generated 
by an LFSR with the same initial state. The attack 
can be seen as an error-correction problem: recover the 
sequence, and therefore the initial state of the LFSR. 
To do this most of the attacks take advantage of parity 
check equations existing in the sequence we are trying to 
recover. Those parity check equations are in fact given by 
the multiples of the feedback polynomial, and to keep 
the bias as low as possible, low-weight multiples are 
necessary. As a precomputation step, we thus have to 
find those parity check equations before using them in 
the active part of the attack. 

Depending on our objectives (finding one or many 
such multiples) and on the parameters (degree of the 
feedback polynomial and of the multiples, expected 
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weight), there exists different algorithms to find low- 
weight multiples (see [2], [5]). We will complete them by 
another approach based on the use of discrete logarithm 
over finite fields. This will lead to a new algorithm 
for the computation of polynomials multiples that has 
better performance for some problems. Remark that the 
complexity of the best method is often still very high for 
parameters used in real cryptosystem. Notice also that in 
[11] discrete logarithms were already used to compute 
multiples of weight 3 and 4. We have generalized this 
idea and improved the complexity analysis. 

The paper is organized as follows. Section [HI in- 
troduces some notations. The usual approach used to 
compute low-weight multiples is presented in Section 
Hill In Section [iVl we detail our main algorithm and 
compare its complexity with the algorithm of [2]. Then, 
we will see in Section IVl how the complexity is modified 
when we only want to find a few multiples and not all. 
Finally, we will discuss in Section [Vl] some important 
practical points and give some experimental results in 
Section EHl 

II. Preliminary 

A. Notations 

The problem we will be dealing with is the following. 

Problem 1 (Low-weight polynomial multiple): 

Input: A binary primitive polynomial P € F2[Y] of 
degree n, and two integers w and D. 

Output: All the multiples of P of weight at most w 
and degree at most D. 

The number of expected such multiples of P is 
heuristically approximated by j^-m^, considering that 
for D large enough, the values of the polynomials of 
weight w and degree at most D are uniformly distributed. 



Most of the time, the degree D and the weight are chosen 
high enough for many solutions to exist as we need many 
parity check equations to mount an attack. 

It's also worth noticing that we almost never need 
all the multiples. In fact, to mount a successful attack, 
one only have to find a fixed number of parity check 
equations. It is thus sufficient to find many — but not 
all — multiples, which might be much easier, especially 
if the constraint on the degree and the weight are 
high enough. We therefore introduce a slightly different 
problem. 

Problem 2: 

Input: A binary primitive polynomial P 6 F2pf] of 
degree n, and three integers w, D and B. 

Output: B multiples of P of weight at most w and 
degree at most D, or as much as possible if there are 
not B such multiples. 

III. The classical approach 

A. The algorithm 

The main idea is to use a time-memory trade-off 
(TMTO). Set w = qi + q 2 + 1 with q l < q 2 . 
Algorithm 1 (TMTO): 

• For all the q\ -tuples T = (71, . . . , 7^) with < 
71 < ■ • • < 7 3l < D, compute and store the pairs 
(I^ + --- + I 7 « mod P;T). 

• For all (72-tuples A = (S±, . . . ,6 q2 ) with < 5\ < 

■■■ < 5 q2 < D, compute X &1 -\ h X 5 ^ mod P. 

Look in the table for an element XORing to 1 (this 
can be efficiently done by using an hash table). 

If it exists, this gives 

1 + x ~< + Yl x& = mod R 

7er SeA 

B. Complexity 

The usual time-memory trade-off is q\ = |_^tp"J and 
q 2 = \^y^-~\, hi order to balance the complexity of the 
two phases of the algorithm. The most time consuming 
part depends on the parity of w, as we do not have to 
compute anything to find the collisions if qi = q 2 . 

The memory complexity is then O (D qi ) (for the first 
phase) while the time complexity is 0(D q2 ). Remark 
that in [2] the memory usage of the algorithm has been 
improved in order to use only O (d^ sl *~~\^ bits. 

IV. Using discrete logarithm 

A. The algorithm 

In this section, we will consider the field F2» defined 
as F2 [x]/ (P). The discrete logarithm (with base element 
x) in this field will be denoted by Log. 



Set w = q\ + q 2 + 2 with q\ < q 2 . Take two tuples 

T = ( 7l , . . . , 7?1 ) with < 71 < • • • < 7 9l < D 

and 

A = (81, . . . ,8 q2 ) with < 5i < ■ ■ ■ < 5 q2 < D. 

Denoting by Lp and La the logarithms of 1 + 
S 7 er x "' an< ^ 1 + 2~2seA x& respectively, the following 
equalities hold in F 2 [x]/ (P): 



1 + Y X " = 

7er 



X 



1 1 + Y x& ) and 

V <5eA / 



X 



La — Lr 



7er / SeA 



x 5 . 



Now let e G ] - 2 n 1 ,2 n_1 ] such that e is equal to 
Lr — La modulo 2 n — 1. If e > 0, then the polynomial 



i+Xy I +x e U+J2 xS ) 

v -yer ) \ SeA ) 



(1) 



is a multiple of P with degree max(7 9l , 5 q2 +e). If e < 0, 
then the polynomial 



7er / V <5eA 



(2) 



is a multiple of P with degree max(7 Ql — e,S q2 ). So, if 
one of the two following conditions is satisfied 

e > and 5 q2 + e < D 
e < and j qi — e < D 

we get a multiple of P with degree at most D and weight 
at most w. We can rewrite both conditions in a single 
inequality 

j qi -D<e<D-S q2 . (3) 

The algorithm is then straightforward. 
Algorithm 2 (LogTMTO): 

• For all the qi -tuples V = (ji, ■ ■ ■ ,j qi ) with < 

71 < ■ • • < 7 9l < D, compute 

L r = Loc/(l + x 71 +--- + X 7 ") 

and store the pairs (Lr; T) • 

• For all (72-tuples A = (Si, . . . , S q2 ) with < 5\ < 
■ ■ ■ < S q2 < D compute the logarithm 



La = Log (l 



1 + x &1 H h x Sq2 



and look in the table for all the elements with a 
logarithm Lp satisfying ([3]). For each of them we 
obtain a multiple of P given by (Q]) or (f2l) depending 
on the sign of e. 
Of course, since we can decompose all polynomials of 

weight w in ( w (h 1 ) way, we obtain each multiple many 

times. 

B. Complexity 

In order to perform the second phase, one could 
sort the table with increasing logarithms, but using an 
appropriate data structure like an hash table indexed by 
the most significants bits of the logarithm is a lot more 
efficient. As long as D < 2 n / 2 , the search cost is O (1). 

Once again, we choose the parameters of the time- 
memory trade-off in order to balance the complexity of 
the two phases, taking q\ = [-^^^J and q2 = [-^F^] ■ 

As for the classical algorithm, the most time consum- 
ing part depends on the parity of w as we do not have to 
compute any logarithm in the second phase if q\ = q2- 

The memory usage is then 0(D qi ), while the time 
complexity is O (D q2 ) logarithm computations. We will 
see in Section IVl-Bl that the logarithm can be computed 
quite efficiently. Actually for many practical values of n 
we can even compute it in O (1). Hence we neglect it 
in Table H 

TABLE I 

Comparison between TMTO and LogTMTO 





w = 2p 


w = 2p + 1 


Algorithm 


Time 


Memory 


Time 


Memory 


TMTO 
LogTMTO 


D p 
D p-i 


D p-i 


D p 
D p 


£>|P/2| 

D p-i 



As we can see in Table HI if w is even we can improve 
the time complexity compared to the classical approach. 
Heuristically, the improvement by a factor D can be 
explained by the fact that we look for values in an 
interval of size roughly D instead of exact collisions. 

Regarding the memory however, as explained in [2] 
the computation behind the classical algorithm can be 
done using only O(D^) bits. So the discrete log- 
arithms approach is always worse for odd w and will 
only be of practical interest when we are looking for all 
the multiples of weight 4 and maybe 6. After that, the 
memory usage just become too important. 

However, we will see in the next section that when we 
are only looking for a small fraction of all the multiples 
of degree up to D, the discrete logarithms method can 
be quite efficient. 



V. Find many but not all 

We deal in this section with the problem of finding 
a small proportion of all the multiples of weight w 
and degree at most D (Problem [2]). If the number B 
of polynomials we want is small enough, depending 
on the parameters, we can do better than the previous 
algorithms. 

A very basic approach is to try random polynomials of 
weight w until we actually find a multiple. In expectation 
we will then find a multiple every 2 n polynomials tried. 
We can also do the same using discrete logarithms. By 
computing logarithms for polynomials A of weight w — 1 
and degree less than D, we can obtain easily low-weight 
multiples of type A + x L ° 9 ^ if the logarithm is at most 
D. The expectation here is to find a multiple every 2 n /D 
iterations and we have won a factor D. 

However, the best methods to solve this problem 
are once again TMTO. The algorithms are just simple 
variations of the previous ones when we put the elements 
in the hash table one by one and stop when we have 
found enough multiples. 

Applying the birthday paradox, we can thus find with 
the basic algorithm a multiple with a time and memory 
complexity of O (\/2™) in average. Using discrete loga- 
rithms, we will find a multiple as soon as two logarithms 
have a distance by approximately D. The complexity is 

then in O (\J^jj^ both in time and memory. Remark 
that in this case one cannot use the improvement of [2] 
to gain memory. There is also another approach based 
on Wagner's generalized birthday paradox (see [14], [5]) 
that can be usefull when w is large. Its complexity is in 
O (2 a 2 n /( a+1 )) for a a such that ( (w _J)/ 2 .) > 2 n ^ a+l \ 
As a conclusion to this section, when computing 
logarithms in F^n is easy, we can gain a factor \f~D 
in time and memory to find a multiple. Notice also 
that in practice when we need many multiples, we can 
design an algorithm between the one that compute all 
the multiples and the one presented here in order to get 
the best performance. We will see an illustration of this 
in Section [Vll] 

VI. Practical Considerations 
A. Bounds on the degree 

First of all, it is worth noticing that it is not necessary 
to compute all the multiples up to the degree D to take 
all ^-tuples up to the degree D. 

As a polynomial of weight w has many representations 
as a sum of a polynomial of weight q\ + 1 and q2 + 1 



respectively, we can choose the one with the smallest 
q 2 -tuple. 

Proposition 1: Let M = 1 + ^2 ieI X l be a multiple 
of P of weight w = q\ + q 2 + 2 and degree at most I?. 

Then there exists an integer 1 < e < D and two 
polynomials A and S of respective weight q\ and 52 
and of degree respectively at most D and at most 
such that M = (1 + A) + X e (1 + B) or X e (1 + A) + 

With the usual trade-off, we can restrict ourselves to 
the degree D/2, dividing the cost of the second phase 
approximately by a factor 2 W I 2 . 

B. How to compute logarithms 

In practice, it is important to compute efficiently 
discrete logarithms in F^n and hopefully there exists 
well studied algorithms to do that. It is important to 
take into account that we are going to compute many 
logarithms and not only one. All the efficient algorithms 
for computing logarithms (Baby-step Giant-step, Pohlig- 
Hellman algorithm [12] and Coppersmith algorithm [3], 
[4]) can profit from a bigger precomputation step that 
can be done once and for all. For instance, if 2 n — 1 
is smooth enough, one can tabulate the logarithms in 
all the subgroups of F^,, to make the Pohlig-Hellman 
algorithm very efficient. In this case, a subsequent dis- 
crete logarithm computation can be done in O (1). This 
approach can be used for all the n up to 78 except 
{37, 41, 49, 59, 61, 62, 65, 67, 69, 71, 74, 77}. In addition 
we have listed in Table JI] some larger n for which it is 
applicable and the corresponding memory requirement. 
Notice that a full tabulation corresponds to a Giant-step 
of 1 and that by increasing a little this Giant-step, we 
can efficiently deal with more values of n . 

TABLE II 

Memory usage for a fully tabulated Pohlig-Hellman 
algorithm and some smooth 2" — 1 



n 


53 


96 


110 


156 


210 


memory 


439MB 


510MB 


1.7GB 


940MB 


201MB 



This leads to a very easy and efficient implementation 
as we will see in Section IVIII Moreover, for the most 
useful cases (that is w £ {3,4,5}) we have to compute 
logarithms of the form Log (l + x J ). This logarithm is 
know as the Zech's logarithm of i, and we can exploit 
some properties of Zech's logarithm (see [6]) to speed 
up the computation. Actually, by computing one Zech 
logarithm we get 6n other logarithms for free. Of course 



not all of them are useful for us, but the computation time 
can be divided by a factor of at least 2. 

VII. Experimental result 

We have implemented our algorithm in C to test its 
efficiency. The computer used for our experiments is a 
3.6GHz Pentium4 with 2MB of cache and 2GB of RAM. 

A. Problem 1 

We give in Table [III] the timings to find all the 
multiples of weight w up to degree D of the polynomial 

P = x 53 +a ,47 +2 ,45 +x 44 +;z .42 +;c 40 +x 39 +;z .38 +x 36 + 

x 33 +x 32 + x 31 +x 30 +x 28 +x 27 +x 26 +x 25 +x 21 + x 20 + 
x 17 +x 16 +x 15 +x l3 +x n +x l0 +x 7 +x G +x s +x 2 +x 1 +l. 

As explained in the previous section, we used a fully 
tabulated Pohlig-Hellman. 

TABLE III 

Problem 1: find all the multiples up to degree D 



n 


53 


w 


4 


5 


log 2 (£>) 


20 


22 


28 


13 


14 


16 


time 


47" 


2'02" 


l/i52' 


4' 11" 


14'40" 


3/i33' 



We can see that the algorithm is, as expected, very 
efficient for weight 4 as its complexity is linear in the 
degree D, both for time and memory (to be compared 
to a quadratic complexity for the classical approach). 

We were also able to compute all the multiples of 
weight 5 and degree up to 2 16 of a polynomial of degree 
53 within a few hours. But for the degree 5 the algorithm 
of [2] is more efficient. 

B. Problem 2 

With the same polynomial of degree n = 53, we 
also looked for multiples with an higher weight w = 7, 
and degree at most D = 2 15 . In order to do that, we 
precomputed all the trinomials (1 + x 71 + x 72 ) up to 
the degree K, which corresponds to q\ = 2, instead 
of 3 for the optimal trade-off. We then computed many 
discrete logarithm of random polynomials (l+x^ 1 +x 52 + 
x 5 3 _|_ x <5 4 ) j n or d er to find multiples of weight 7. The 
results are given in Figure Q] where we see that a bigger 
precomputation can greatly improve the performance. 




Iteration 

Fig. 1. Evolution of the number of multiples of weight 7 and degree 
lower than 2 5 found with precomputed logarithms up to degree K 

VIII. Conclusion 

In this paper, we devised an algorithm to find low- 
weight multiples of a given binary polynomial that 
appears to be efficient for two cases that actually occur 
in practice. 

The first case is when we are looking for all the 
multiples of weight 4 and degree at most D of a given 
polynomial of degree n. The complexity is then in 
O (D) discrete logarithms computation in F^n where 
the other approach run in O (D 2 ) . So the best algorithm 
will depends on the complexity of a discrete logarithm 
computation in F^n which can be smaller than D in 
many practical situations. Notice that our algorithm may 
also give better performance for multiples of weight 6. 

The other case where discrete logarithms can be useful 
is when we are only looking for a small fraction of all 
the possible multiples. The complexity to find one of 

them is then O (^\J~^j logarithm computations. 
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